On 1/11/19 3:24 PM, dbischof--- via FreeIPA-users wrote:
Hi Florence,
On Thu, 10 Jan 2019, Florence Blanc-Renaud wrote:
> On 1/10/19 1:46 PM, dbischof--- via FreeIPA-users wrote:
> [...]
> you can use ldapmodify to manually add the missing certificate:
>
> 1. transform the RA agent cert into der format $ openssl x509 -outform
> der -in /var/lib/ipa/ra-agent.pem -out /tmp/ra-agent.der
>
> 2. upload the cert in LDAP
> $ ldapmodify -h ipa2 -p 389 -D "cn=directory manager" -W
> Enter LDAP Password:
> dn: uid=ipara,ou=people,o=ipaca
> changetype: modify
> add: usercertificate
> usercertificate:< file:///tmp/ra-agent.der
>
> modifying entry "uid=ipara,ou=people,o=ipaca"
>
> <Ctrl-D> to exit
>
> After that, you should be able to re-run ipa-server-upgrade. At this
> point, please make sure that replication could be re-established
> between the two nodes.
your help is greatly appreciated.
I had to change the cert serial in "description" additionally the same
way via ldapmodify, but now ipa-server-upgrade goes smooth and IPA on
ipa2 comes up properly after a reboot. Fine.
Regarding replication: Checking, whether replication works properly is
achieved with "ipa-replica-manage -v list <host>", right? Has to work on
both IPA servers and "last update ended" must be a reasonable recent
timestamp?
Yes, ipa-replica-manage -v list <host> will display the status of the
replication for the domain (user, hosts, ...). The value of "last update
status" must be "Replica acquired successfully: Incremental update
succeeded".
If the topology includes multiple CA instances, replication is also
configured for the CA data, and the status can be found using
ipa-csreplica-manage -v list <host>.
HTH,
flo
Mit freundlichen Gruessen/With best regards,
--Daniel.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...